Breach Based on Harm Threshold: Yes
Deadline for Consumer Notice: Without unreasonable delay
Government Notification Required: Yes
Scope of this Summary:
Notification requirements applicable to businesses that own or license covered info. Some types of businesses may be exempt from some or all of these requirements; non-commercial entities may be subject to different requirements.
Risk of Harm Threshold
Notification not required if no illegal use of covered info has occurred or is reasonably likely to occur and breach does not create a material risk of harm to resident.
Unauthorized access and acquisition of covered info, excluding certain good-faith acquisitions by employees or agents.
Encryption Safe Harbor
Statute does not apply to information that is encrypted or redacted, so long as encryption key was not compromised.
Form of Covered Info
Electronic or Paper
- A person's first name or first initial and last name in combination with identifying information:
- Social Security or employer taxpayer identification numbers.
- Driver's license, state identification card, or passport numbers.
- Checking account numbers.
- Savings account numbers.
- Credit card numbers.
- Debit card numbers.
- Personal Identification (PIN) Code
- Digital signatures.
- Any other numbers or information that can be used to access a person's financial resources.
- Biometric data.
- Personal information may also include a person's first name or first initial and last name in combination with the following if this information would permit access to a person's financial account or resources:
- Electronic identification numbers.
- Electronic mail names or addresses.
- Internet account numbers.
- Internet identification names.
- Parent's legal surname prior to marriage.
Consumer Notice Timing
Must be made without unreasonable delay, taking any necessary measures to determine sufficient contact info, determine the scope of the breach, and restore the reasonable integrity, security, and confidentiality of the system.
Consumer Notice Method
By written notice, telephone notice (provided that contact is made directly with the affected persons), or electronic notice (if residents have agreed to receive communications electronically, the entity has a valid email address for the affected persons, and notice is consistent with E-SIGN). Substitute notice is available if certain criteria are satisfied.
Consumer Notice Content
The notification shall be clear and conspicuous and include all of the following:
- A description of the incident in general terms.
- A description of the type of personal information that was subject to the unauthorized access and acquisition.
- A description of the general acts of the business to protect the personal information from further unauthorized access.
- A telephone number for the business that the person may call for further information and assistance, if one exists.
- Advice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.
- The toll-free numbers and addresses for the major Consumer Reporting Agencies.
- The toll-free numbers, addresses, and Web site addresses for the Federal Trade Commission and the North Carolina Attorney General's Office, along with a statement that the individual can obtain information from these sources about preventing identity theft.
Notification shall be delayed if law enforcement determines that the notification may impede a criminal investigation or jeopardize homeland or national security and makes the request in writing, or the covered entity documents the request contemporaneously in writing, including the name of the officer and agency.
If residents are notified, must notify, without unreasonable delay, the Consumer Protection Division of the Attorney General's office and provide the nature of the breach; number of consumers affected; steps taken to investigate the breach; steps taken to prevent a similar breach in the future; and information regarding the timing, distribution, and content of the consumer notices.
Consumer Reporting Agency Notice
If more than 1,000 residents are notified, must notify, without unreasonable delay, all nationwide Consumer Reporting Agencies of timing, distribution, and content of the consumer notice.
Exceptions for Other Laws
If you maintain covered info on behalf of another entity, must notify immediately following discovery of a breach.
Private Right of Action
A violation of the general breach notification statute is a violation of the North Carolina unfair and deceptive trade practices statute and an injured person may bring a civil action.
Violations may result in civil penalties.